Writeup
Web
English
curious
If you use burpsuite to intercept HTTP requests sent from the browser, in addition to receiving normal request, you will also receive a request to /burp5u17e_ch4ll3nge
We can put this request into the Repeater to take a closer look
You can see that the response says "Let's start the challenge!", and you may also notice a Challenge
header in the Requests that doesn't seem to be a typical header found in HTTP request. You can try changing the value of Challenge
to 1 and see what happens
By doing so, you should obtain the first segment of the flag and the URL for the next challenge
The hint provided in the challenge can also give you some ideas on how to approach it
fetch
suggests that this JavaScript code will send an additional request to the server with a custom header, so you can use burpsuite to intercept the request
However, the challenge is designed in a way that discourages you from looking at the JavaScript code, which has been obfuscated
If you access /cur1_ch4ll3nge
directly through a browser, you will see the message 'Do you know how to use curl
?'. Therefore, you can try using the command curl http://lotuxctf.com:20001/cur1_ch4ll3nge
to access this webpage
The challenge asks how to view headers using curl
, so you can add the -i
option to see what happens
After reading the hint provided in the challenge, you may realize that we need to find out what request methods the server supports. Luckily, there is a request method called OPTIONS
that can be used to ask the server what methods it supports. Therefore
You can see that there is a very strange method listed. You can try sending a request using that method and see what happens
By doing so, you should be able to successfully access the next challenge
If you access /r3que57s_ch4ll3nge
directly through a browser, you will see the message 'How to browse websites with Python?'. Therefore, you can use the Python requests library to access this webpage
You can see that the server has verified your identity so there should be a Set-Cookie
header to set your cookie to indicate that you are logged in. The server also states that you need to use the POST
method to obtain sensitive information. In order to maintain your login status, you can carry the cookie that represents your identity when using POST
. Alternatively, you can use the requests.Session
object to automatically handle this for you
Putting the three flag segments together will give you the complete flag!
Compare the results of doing sha256 with
burpsuite,_curl,_requests
and the flag